Re: Management User to provision only

‎07-10-200904:15 PM

I'm wondering if, instead of creating custom roles for activities like this, Aruba should implement command restriction support via TACACS+ authorization. That way, the user's logon role could still be "root," but their command execution can be limited.

So, specific activities like AP provisioning or whatever else someone may want to lock down, can be done by the user themselves.

Re: Management User to provision only

‎07-10-200904:39 PM

That's a good idea, but I'm not sure how many folks use TACACS+ to authenticate users. Seems popular in larger Cisco shops, but the system would have to also accommodate those using other tools. Would an AirWave role also work? It would probably require us to implement role permission flexibility into AirWave to avoid creating a ton of custom roles.

It might also be possible to support functions like this via the XML API that is a part of PEF in 3.4. That would require custom scripting on the user side of things, but could possibly be built into a provisioning system in much the same way that carriers automate things via CORBA scripting. It sounds like that might be the use case here, where lots of APs are being provisioned by low-level employees.

Re: Management User to provision only

‎07-10-200905:22 PM

Good point Andy, some use local accounts and RADIUS. Actually, I think AOS can only get role assignment from RADIUS anyway, so doing all that work for command auth with TACACS might not be all that worth it.

Re: Management User to provision only

‎09-22-200905:07 AM

Hi Terry,

There isn't any way to get that granular in the system. Can you give us some more information on the use case for this more role?

thanks,-awl

Sorry, I dropped of the face of the earth there for a while. In a nutshell, my access points are deployed by technicians in our organization while I am responsible for the configuration side of things. I seems to me that when a technician is doing the physical installations it would be of benefit for them to be able to properly provision each AP in the FQLN mapper. I would like to be able to allow this to happen without giving the tech the rights to modify any other settings.